ldap: Add Sicily Authentication constants

The aduser1-ntlm.pcap contains bindRequest messages using Microsoft AD
specific Sicily Authentication [1]. Add the entries to the enum so we
don't log undefined for these and also check the NTLMSSP signature.

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982

scripts/base/protocols/ldap/main.zeek

@@ -380,6 +380,10 @@ event LDAP::bind_request(c: connection,
     m$opcode = BIND_SIMPLE;
   } else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
     m$opcode = BIND_SASL;
+  } else if (authType == LDAP::BindAuthType_SICILY_NEGOTIATE ) {
+    m$opcode = "sicily_negotiate";
+  } else if (authType == LDAP::BindAuthType_SICILY_RESPONSE ) {
+    m$opcode = "sicily_response";
   } else {
     Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
     m$opcode = cat(authType);

src/analyzer/protocol/ldap/ldap.spicy

@@ -365,6 +365,12 @@ public type Message = unit(ctx: Ctx&) {
 public type BindAuthType = enum {
   BIND_AUTH_SIMPLE = 0,
   BIND_AUTH_SASL = 3,
+
+  # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982
+  # 5.1.1.1.3 Sicily Authentication
+  SICILY_PACKAGE_DISCOVERY = 9,
+  SICILY_NEGOTIATE = 10,
+  SICILY_RESPONSE = 11,
 };
 
 type GSS_SPNEGO_negTokenInit = unit {
@@ -410,6 +416,12 @@ type SaslCredentials = unit() {
   };
 };
 
+type SicilyMessage = unit(bat: BindAuthType) {
+    # Just ensure the signature matches. We could do more,
+    # but it'd be better to forward to an NTLM analyzer.
+    signature: b"NTLMSSP";
+};
+
 type GSS_SPNEGO_Subsequent = unit {
   switch {
     -> spnegoChoiceByte: uint8(0xa1);
@@ -481,6 +493,14 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) {
     message.arg = self.saslCreds.mechanism;
     ctx.saslMechanism = self.saslCreds.mechanism;
   }
+
+
+  sicilyMessage: SicilyMessage(self.authType) &parse-from=self.authData if ((self.authType == BindAuthType::SICILY_NEGOTIATE
+                                                                             || self.authType == BindAuthType::SICILY_RESPONSE)
+                                                                            && (|self.authData| > 0)) {
+    message.arg = self.sicilyMessage.signature.decode();
+  }
+
 } &requires=(self?.authType && (self.authType != BindAuthType::Undef));
 
 type ServerSaslCreds = unit {

testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log

@@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
 #types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	173945320	3	<undefined>	success	-	User1	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	1489001992	3	<undefined>	success	-	User1	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	173945320	3	sicily_negotiate	success	-	User1	NTLMSSP
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	1489001992	3	sicily_response	success	-	User1	NTLMSSP
 #close XXXX-XX-XX-XX-XX-XX